What’s the worst thing a ransomware attack can do to an organization?
For a long time, the answer to that question was to encrypt large numbers of files so that the victim would have to choose between spending weeks reinstating data or paying the ransom as a shortcut.
Around four years ago, attackers turned to a new tactic of threatening to release sensitive data stolen during an attack. This has since become so routine it’s almost completely eclipsed the threat from encryption.
More recently, attackers have added other forms of persuasion such as threatening DDoS attacks or unleashing a mixture of the tactics mentioned above at one time.
But there is one threat that can still outgun even these bad outcomes—the possibility that attackers might contact an organization’s customers or employees directly to tell them their personally identifiable information (PII) has been breached.
It’s a form of victim shaming that Bluefield University, a small college in Virginia, came face to face with after it was breached by the AvosLocker ransomware on April 30.
By the end of day one, this looked for all the world like any other ransomware incident, with the University publishing a fairly standard service alert to students and staff:
“We are working through the investigation to determine the nature and extent of the incident. However, as of now, we have no evidence indicating any information involved has been used for financial fraud or identity theft.”
Then, at the bottom, they added a more unusual warning:
“Further, we discovered earlier today that the incident impacted our mass alert system, RAMAlert. As such if you are contacted by anyone claiming to be involved in the incident, please don’t click on any links provided by the individual or respond.”
In other words, the attackers had hijacked a system that would allow them to communicate directly with the students and staff, which they reportedly took full advantage of to warn that their PII would be leaked if the University did not pay the undisclosed ransom demand:
“Hello students of Bluefield University! We’re AvosLocker ransomware. We hacked the university network to exfiltrate 1.2TB files,” read one text.
“Do not allow the University to lie about the severity of the attack!” read a second, followed by a threat to leak some data to a dark website on May 8.
Communicating directly with the victims of a data breach is dastardly but it could also be argued that the attackers are being clear about what’s at stake.
Today, ransomware is still discussed in relation to the effect attacks have on organizations. For years, this made sense because ransomware was mostly about making it hard for organizations to go about their business.
But, as noted at the beginning of this article, this era ended some time ago. Ransomware is now as much about breaching PII as an end in itself. There are now three parties in every attack—the attackers, the ransomed organization, and the data subjects whose PII is on the line.
To anyone familiar with regulations such as the EU’s GDPR, this will sound like an obvious point, and yet many organizations still prefer to ignore its implications. Data subjects are no longer collateral damage but the element of ransomware attacks that might cause the greatest long-term damage.